It is working but not secure enough because of this php_admin_value open_basedir "C:/aweb/freehosting/users/"

Bad script can see and fully control anything in folder /users/
I tried to do so php_admin_value open_basedir "C:/aweb/freehosting/users/%1/"
Bad alas it is not so easy as with VirtualDocumentRoot

So I’ve got some questions:
1. How to lock users in their respective folders
2. How to disable user to access his web page through http://pcsny.org/users/%newuser%/ and redirect them to appropriate sub domain (because this way they gain full control over system)?
3. Will .htaccess in user’s folder override all my security efforts to zero? How to prevent this without disabling .htaccess?

Sets the value of the specified directive. This can not be used in .htaccess files. Any directive type set with php_admin_value can not be overridden by .htaccess or virtualhost directives. To clear a previously set value use none as the value.

2. How to disable user to access his web page through http://pcsny.org/users/%newuser%/ and redirect them to appropriate sub domain (because this way they gain full control over system)?

The restriction specified with open_basedir is actually a prefix, not a directory name. This means that "open_basedir = /dir/incl" also allows access to "/dir/include" and "/dir/incls" if they exist. When you want to restrict access to only the specified directory, end with a slash. For example: "open_basedir = /dir/incl/"